Never Run a SIP Server on Port 5060

The well-known port for SIP is 5060. It’s common knowledge. Convention. You might say it’s the default. To be clear RFC 3261 says: “If the port is absent, the default value depends on the transport. It is 5060 for UDP, TCP and SCTP, 5061 for TLS.”

The rule is there is no rule. Which is great!

In most if not all SIP clients you can specify a port to connect to on a SIP server or proxy. You can also setup DNS SRV for your domain or SIP server’s name to allow clients (maybe scanners and attackers?) to find the correct non-standard SIP port.

So using an alternate SIP port on your server is easy. But why would you want to?

Here are a few reasons:

1) Choosing a more obscure port for your SIP server is a good idea because it circumvents the most basic SIP scanning. Your server will still get scanned, but being a less obvious target is a good thing.

2) More importantly, in devices like mobile hotspots, home routers, and metro WiFi networks there is a class called Application Layer/Level Gateways (ALG):

Things like Cisco PIX’s SIP Fix-up feature

A network process that believes it can be helpful (and rarely is)

It’s designed to specifically stop the use of SIP clients within or on a network

Go on, try a new port!

In both these cases running a SIP server not on port 5060 has its benefits. Most scanners blindly look for responses from servers listening on 5060. Most ALGs don’t know what you might be connecting to on port 15555, so they let the traffic pass without mangling it.

Jim O’Brien is the Vice President of Server Engineering for CounterPath and directs his team in architecting, building and supporting server solutions that work closely with CounterPath softphone applications. Jim designed, launched, and supported wholesale and enterprise VoIP networks for GTE, Genuity, and Level(3). Jim joined CounterPath with the acquisition of BridgePort Networks in 2008.

Legal Disclaimer
Some of the individuals that post to this site, including the moderators, work for CounterPath Corporation. Opinions expressed within the site and in any corresponding comments are the personal opinions of the original authors, not of CounterPath. The content is provided for informational purposes only and is not meant to be an endorsement or representation by CounterPath or any other party. With Regard to comments and posts, this site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release CounterPath from any liability related to your use of the Website. You also grant to CounterPath a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide.